On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded. For more information about the ARP cache, see “ARP Cache Table” in the Multicast and Routing Guide.
ARP requests are ordinarily broadcast and received by all devices in a broadcast domain. Most ARP devices update their IP-to-MAC address entries each time they receive an ARP packet even if they did not request the information. This behavior makes an ARP cache vulnerable to attacks.
Because ARP allows a node to update its cache entries on other systems by broadcasting or unicasting a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the reply that causes all traffic destined for a VLAN node to be sent to the attacker's MAC address. As a result, the attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack. The attacker gains access to any traffic sent to the poisoned address and can capture passwords, e-mail, and VoIP calls or even modify traffic before resending it.
Another way in which the ARP cache of known IP addresses and associated MAC addresses can be poisoned is through unsolicited ARP responses. For example, an attacker can associate the IP address of the network gateway with the MAC address of a network node. In this way, all outgoing traffic is prevented from leaving the network because the node does not have access to outside networks. As a result, the node is overwhelmed by outgoing traffic destined to another network.
Dynamic ARP protection is designed to protect your network against ARP poisoning attacks in the following ways:
-
Allows you to differentiate between trusted and untrusted ports.
-
Intercepts all ARP requests and responses on untrusted ports before forwarding them.
-
Verifies IP-to-MAC address bindings on untrusted ports with the information stored in the lease database maintained by DHCP snooping and user-configured static bindings (in non-DHCP environments):
DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding the packets. DHCP packets are checked against a database of DHCP binding information. Each binding consists of a client MAC address, port number, VLAN identifier, leased IP address, and lease time. The DHCP binding database is used to validate packets by other security features on the switch.
If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to-MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified.
When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC address bindings in their packet header are relayed and used to update the ARP cache.
Dynamic ARP protection is implemented in the following ways on a switch:
-
You can configure dynamic ARP protection only from the CLI; you cannot configure this feature from the WebAgent or menu interfaces.
-
Line rate—Dynamic ARP protection copies ARP packets to the switch CPU, evaluates the packets, and then re-forwards them through the switch software. During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retransmitted.
-
The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP packet-forwarding status and counters.
To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan
command at the global configuration level.
Syntax:
In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation.
By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:
-
The switch intercepts all ARP requests and responses on the port.
-
Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is invalid, the switch drops the packet.
You must configure trusted ports carefully. For example, in the topology in Trusted ports for dynamic ARP protection, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.
On the other hand, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from hosts attached to Switch A.
Take into account the following configuration guidelines when you use dynamic ARP protection in your network:
-
You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information.
-
Switches that do not support dynamic ARP protection should be separated by a router in their own Layer 2 domain. Because ARP packets do not cross Layer 2 domains, the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports.
To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp-protect trust
command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port.
Syntax:
A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
If your network does not use DHCP or if some network devices have fixed, user-configured IP addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection.
To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip source-binding
command at the global configuration level. Use the no
form of the command to remove the IP-to-MAC binding from the database.
Syntax:
|
|
NOTE: The |
|
|
Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate
command at the global configuration level.
Syntax:
You can configure one or more of the validation checks. The following example of the arp-protect validate
command shows how to configure the validation checks for source MAC address and destination AMC address:
To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp-protect
command:
To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp-protect statistics <
command:vid-range
>
Output for the show arp-protect statistics command
HP Switch(config)# show arp-protect statistics 1-2 Status and Counters - ARP Protection Counters for VLAN 1 Forwarded pkts : 10 Bad source mac : 2 Bad bindings : 1 Bad destination mac: 1 Malformed pkts : 0 Bad IP address : 0 Status and Counters - ARP Protection Counters for VLAN 2 Forwarded pkts : 1 Bad source mac : 1 Bad bindings : 1 Bad destination mac: 1 Malformed pkts : 1 Bad IP address : 1
When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp-protect
command. Use this command when you want to debug the following conditions:
-
The switch is dropping valid ARP packets that should be allowed.
-
The switch is allowing invalid ARP packets that should be dropped.
Output for the debug arp-protect command
HP Switch(config)# debug arp-protect 1. ARP request is valid "DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port 1, vlan " 2. ARP request detected with an invalid binding "DARPP: Deny ARP request 000000-000003,10.0.0.1 port 1, vlan 1" 3. ARP response with a valid binding "DARPP: Allow ARP reply 000000-000002,10.0.0.2 port 2, vlan 1" 4. ARP response detected with an invalid binding "DARPP: Deny ARP reply 000000-000003,10.0.0.2 port 2, vlan 1"